Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Rootkit infection - MBR Rootkit?? eBay & PayPal affected


  • This topic is locked This topic is locked
32 replies to this topic

#1 geminis076

geminis076

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 14 December 2009 - 01:04 AM

Hello! I believe my computer has an infection, and I'm not sure what it is or how to get rid of it. Hopefully I have followed the log and posting instructions carefully as I would like to avoid any delays and try to resolve this as soon as possible.

What my computer is doing:


It's slower than normal, but the big thing that seems to have started on Saturday 12/12/09 is that whenever I log into my eBay and PayPal account, the next page I'm directed to is a Fraud Prevention page asking me to submit a ton of personal and financial information, everything from my SS# to my ATM + PIN number. I am on the official eBay and PayPal website, happens after I log in using my username and password, I see no way to skip it, and no way to get rid of it. This is NOT eBay or PayPal, it's absolutely fake, neither site would ask for such information, there are even spelling errors. You can view a screen shot of the page here:

Screenshot of Fake eBay Fraud Prevention Page

Doesn't appear every single time, but often enough throughout the following day (today), at least 5-6 times out of 10. I have several eBay listings currently listed, eBay and PayPal are both important to me.


What I have done - my computer info

I'm running Windows XP, sp 3, Firefox browser, Dell desktop, wired DSL connection. Only things I have done "prior" to the logs and steps asked by BleepingComputer are:

1. ran a scan with Malwarebytes (4 objects found)
2. scanned with Avast antivirus (nothing found)
3. scanned with SuperAntiSpyware (no items found)
4. cleared internet cookies
5. uninstalled and re-installed Firefox
6. not experienced enough to do anything else
7. A help request has not been posted elsewhere


Hopefully this isn't too-too difficult but more importantly resolvable. I appreciate any information and help, thank you :( ! Attach.txt and ark.text have been uploaded, please let me know if there have been any errors.

----------------------------------------------------------------------------------------------------------------------------------------------



DDS (Ver_09-12-01.01) - NTFSx86
Run by natalie at 20:32:32.18 on 2009-12-13
Internet Explorer: 7.0.5730.13 BrowserJavaVersion: 1.6.0_17
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.510.148 [GMT -8:00]

AV: avast! antivirus 4.8.1368 [VPS 091213-0] *On-access scanning enabled* (Updated) {7591DB91-41F0-48A3-B128-1A293FD8233D}

============== Running Processes ===============

C:\WINDOWS\system32\svchost -k DcomLaunch
svchost.exe
C:\WINDOWS\System32\svchost.exe -k netsvcs
svchost.exe
svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\ImgIcon.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe
C:\Program Files\iTunes2\iTunesHelper.exe
C:\Program Files\Canon\BJPV\TVMon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\spoolsv.exe
svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe -k imgsvc
C:\Program Files\Iomega\AutoDisk\ADService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\natalie\Desktop\Bleeping Comp\dds.scr

============== Pseudo HJT Report ===============

uStart Page = hxxp://www.yahoo.com/
uSearchMigratedDefaultURL = hxxp://www.google.com/search?q={searchTerms}
uInternet Settings,ProxyOverride = 127.0.0.1;*.local
uSearchURL,(Default) = hxxp://www.google.com/search?q=%s
uURLSearchHooks: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: &Yahoo! Toolbar Helper: {02478d38-c3f9-4efb-9b51-7695eca05670} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
BHO: Adobe PDF Reader Link Helper: {06849e9f-c8d7-4d59-b87d-784b7d6be0b3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No File
BHO: Yahoo! IE Services Button: {5bab4b5b-68bc-4b02-94d6-2fc0de4a7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
BHO: Google Toolbar Helper: {aa58ed58-01dd-4d91-8333-cf10577473f7} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
BHO: Google Toolbar Notifier BHO: {af69de43-7d58-4638-b6fa-ce66b5ad205d} - c:\program files\google\googletoolbarnotifier\5.4.4525.1752\swg.dll
BHO: Java™ Plug-In 2 SSV Helper: {dbc80044-a445-435b-bc74-9c25c1c588a9} - c:\program files\java\jre6\bin\jp2ssv.dll
BHO: JQSIEStartDetectorImpl Class: {e7e6f031-17ce-4c07-bc86-eabfe594f69c} - c:\program files\java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
BHO: SidebarAutoLaunch Class: {f2aa9440-6328-4933-b7c9-a6ccdf9cbf6d} - c:\program files\yahoo!\browser\YSidebarIEBHO.dll
TB: Yahoo! Toolbar: {ef99bd32-c1fb-11d2-892f-0090271d4f88} - c:\program files\yahoo!\companion\installs\cpn0\yt.dll
TB: Google Toolbar: {2318c2b1-4965-11d4-9b18-009027a5cd4f} - c:\program files\google\google toolbar\GoogleToolbar_32.dll
uRun: [Yahoo! Pager] 1
uRun: [ctfmon.exe] c:\windows\system32\ctfmon.exe
uRun: [swg] "c:\program files\google\googletoolbarnotifier\GoogleToolbarNotifier.exe"
uRun: [AdobeUpdater] "c:\program files\common files\adobe\updater5\AdobeUpdater.exe"
uRunOnce: [FlashPlayerUpdate] c:\windows\system32\macromed\flash\NPSWF32_FlashUtil.exe -p
mRun: [SoundMAXPnP] c:\program files\analog devices\soundmax\SMax4PNP.exe
mRun: [IntelMeM] c:\program files\intel\modem event monitor\IntelMEM.exe
mRun: [PCMService] "c:\program files\dell\media experience\PCMService.exe"
mRun: [Iomega Drive Icons] c:\dell\high speed internet offers\consumer\styles\mps\morpheus\downloads\driveicons\ImgIcon.exe
mRun: [Deskup] c:\dell\high speed internet offers\consumer\styles\mps\morpheus\downloads\driveicons\deskup.exe /IMGSTART
mRun: [BJCFD] c:\program files\broadjump\client foundation\CFD.exe
mRun: [igfxtray] c:\windows\system32\igfxtray.exe
mRun: [MMTray] "c:\program files\musicmatch\musicmatch jukebox\mm_tray.exe"
mRun: [ISUSPM Startup] c:\progra~1\common~1\instal~1\update~1\ISUSPM.exe -startup
mRun: [ISUSScheduler] "c:\program files\common files\installshield\updateservice\issch.exe" -start
mRun: [mmtask] "c:\program files\musicmatch\musicmatch jukebox\mmtask.exe"
mRun: [QuickTime Task] "c:\program files\quicktime\qttask.exe" -atboottime
mRun: [iTunesHelper] "c:\program files\itunes2\iTunesHelper.exe"
mRun: [BJPD HID Control] c:\program files\canon\bjpv\TVMon.exe
mRun: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
mRun: [avast!] c:\progra~1\alwils~1\avast4\ashDisp.exe
mRun: [SunJavaUpdateSched] "c:\program files\java\jre6\bin\jusched.exe"
StartupFolder: c:\docume~1\alluse~1\startm~1\programs\startup\adobeg~1.lnk - c:\program files\common files\adobe\calibration\Adobe Gamma Loader.exe
IE: {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe
IE: {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmatch.com/mmz/openWebRadio.html
IE: {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe
IE: {FB5F1910-F110-11d2-BB9E-00C04F795683} - c:\program files\messenger\msmsgs.exe
IE: {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - {2EAF5BB0-070F-11D3-9307-00C04FAE2D4F} - c:\progra~1\mi3aa1~1\INetRepl.dll
IE: {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - c:\progra~1\yahoo!\common\yiesrvc.dll
Trusted Zone: geekstogo.com\www
Trusted Zone: turbotax.com
DPF: Microsoft XML Parser for Java - file://c:\windows\java\classes\xmldso.cab
DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} - hxxp://support.f-secure.com/ols/fscax.cab
DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} - hxxp://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} - c:\program files\yahoo!\common\yucconfig.dll
DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} - c:\program files\yahoo!\common\Yinsthelper.dll
DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} - hxxp://musicstore.connect.com/assets/activexplayer/SMALStreaming.cab
DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} - hxxp://tools.ebayimg.com/eps/wl/activex/EPUWALControl_v1-0-3-17.cab
DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - hxxp://download.bitdefender.com/resources/scan8/oscan8.cab
DPF: {6F750200-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_1/axofupld.cab
DPF: {6F750202-1362-4815-A476-88533DE61D0C} - hxxp://www.kodakgallery.com/downloads/BUM/BUM_WIN_IE_2/axofupld.cab
DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} - hxxp://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} - hxxp://web1.shutterfly.com/downloads/Uploader.cab
DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} - hxxp://acs.pandasoftware.com/activescan/as5free/asinst.cab
DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}
DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} - hxxp://java.sun.com/update/1.6.0/jinstall-1_6_0_17-windows-i586.cab
DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} - hxxp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} - hxxp://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab
Handler: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - c:\program files\common files\microsoft shared\web folders\PKMCDO.DLL
Notify: avgrsstarter - avgrsstx.dll
Notify: igfxcui - igfxdev.dll
SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - c:\windows\system32\WPDShServiceObj.dll
SEH: SABShellExecuteHook Class: {5ae067d3-9afb-48e0-853a-ebb7f4a000da} - c:\program files\superantispyware\SASSEH.DLL
SecurityProviders: msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, digeste.dll
mASetup: {582610B8-E496-4813-993C-4B027173FE38} - c:\program files\pixiepack codec pack\InstallerHelper.exe

================= FIREFOX ===================

FF - ProfilePath - c:\docume~1\natalie\applic~1\mozilla\firefox\profiles\mdfkcawc.default\
FF - prefs.js: browser.startup.homepage - hxxp://www.yahoo.com/
FF - plugin: c:\program files\google\google updater\2.4.1536.6592\npCIDetect13.dll
FF - plugin: c:\program files\itunes2\mozilla plugins\npitunes.dll
FF - plugin: c:\program files\mozilla firefox\plugins\npCouponPrinter.dll
FF - plugin: c:\program files\viewpoint\viewpoint experience technology\npViewpoint.dll
FF - HiddenExtension: Microsoft .NET Framework Assistant: {20a82645-c095-46ed-80e3-08825760534b} - c:\windows\microsoft.net\framework\v3.5\windows presentation foundation\dotnetassistantextension\
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA}
FF - HiddenExtension: Java Console: No Registry Reference - c:\program files\mozilla firefox\extensions\{CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA}

---- FIREFOX POLICIES ----
c:\program files\mozilla firefox\greprefs\security-prefs.js - pref("security.ssl3.rsa_seed_sha", true);

============= SERVICES / DRIVERS ===============

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-6-18 114768]
R1 SASDIFSV;SASDIFSV;c:\program files\superantispyware\SASDIFSV.SYS [2006-10-10 8944]
R1 SASKUTIL;SASKUTIL;c:\program files\superantispyware\SASKUTIL.SYS [2007-2-27 55024]
R2 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-6-18 20560]
R2 avast! Antivirus;avast! Antivirus;c:\program files\alwil software\avast4\ashServ.exe [2009-6-18 138680]
R3 avast! Mail Scanner;avast! Mail Scanner;c:\program files\alwil software\avast4\ashMaiSv.exe [2009-6-18 254040]
R3 avast! Web Scanner;avast! Web Scanner;c:\program files\alwil software\avast4\ashWebSv.exe [2009-6-18 352920]
R3 SASENUM;SASENUM;c:\program files\superantispyware\SASENUM.SYS [2006-2-16 4096]
S1 httpp;httpp;c:\windows\system32\drivers\httpp.sys --> c:\windows\system32\drivers\httpp.sys [?]
S3 FilterService2;Canon BJ Hid Usb Filter Service2;c:\windows\system32\drivers\bjhid2.sys [2004-12-28 6528]
S3 SDTHOOK;SDTHOOK;c:\windows\system32\drivers\SDTHOOK.SYS [2008-1-13 44928]
S3 SE31bus;Sony Ericsson Device 049 Driver driver (WDM);c:\windows\system32\drivers\SE31bus.sys [2006-10-11 61600]
S3 SE31mdfl;Sony Ericsson Device 049 USB WMC Modem Filter;c:\windows\system32\drivers\SE31mdfl.sys [2006-10-11 9360]
S3 SE31mdm;Sony Ericsson Device 049 USB WMC Modem Driver;c:\windows\system32\drivers\SE31mdm.sys [2006-10-11 97184]
S3 SE31mgmt;Sony Ericsson Device 049 USB WMC Device Management Drivers (WDM);c:\windows\system32\drivers\SE31mgmt.sys [2006-10-30 88688]
S3 se31nd5;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (NDIS);c:\windows\system32\drivers\se31nd5.sys [2006-10-30 18704]
S3 SE31obex;Sony Ericsson Device 049 USB WMC OBEX Interface;c:\windows\system32\drivers\SE31obex.sys [2006-10-30 86560]
S3 se31unic;Sony Ericsson Device 049 USB Ethernet Emulation SEMC49 (WDM);c:\windows\system32\drivers\se31unic.sys [2006-10-11 90800]

=============== Created Last 30 ================


==================== Find3M ====================

2009-12-04 00:14:06 38224 ----a-w- c:\windows\system32\drivers\mbamswissarmy.sys
2009-12-04 00:13:56 19160 ----a-w- c:\windows\system32\drivers\mbam.sys
2009-10-28 14:36:11 70656 ------w- c:\windows\system32\dllcache\ie4uinit.exe
2009-10-28 14:36:11 13824 ------w- c:\windows\system32\dllcache\ieudinit.exe
2009-10-28 06:54:16 634632 ------w- c:\windows\system32\dllcache\iexplore.exe
2009-10-28 06:52:46 161792 ------w- c:\windows\system32\dllcache\ieakui.dll
2009-10-21 05:38:36 75776 ----a-w- c:\windows\system32\strmfilt.dll
2009-10-21 05:38:36 75776 ------w- c:\windows\system32\dllcache\strmfilt.dll
2009-10-21 05:38:36 25088 ----a-w- c:\windows\system32\httpapi.dll
2009-10-21 05:38:36 25088 ------w- c:\windows\system32\dllcache\httpapi.dll
2009-10-20 16:20:16 265728 ----a-w- c:\windows\system32\drivers\http.sys
2009-10-20 16:20:16 265728 ------w- c:\windows\system32\dllcache\http.sys
2009-10-13 10:30:16 270336 ----a-w- c:\windows\system32\oakley.dll
2009-10-13 10:30:16 270336 ------w- c:\windows\system32\dllcache\oakley.dll
2009-10-12 13:38:19 149504 ----a-w- c:\windows\system32\rastls.dll
2009-10-12 13:38:19 149504 ------w- c:\windows\system32\dllcache\rastls.dll
2009-10-12 13:38:18 79872 ----a-w- c:\windows\system32\raschap.dll
2009-10-12 13:38:18 79872 ------w- c:\windows\system32\dllcache\raschap.dll
2009-10-11 12:17:27 411368 ----a-w- c:\windows\system32\deploytk.dll
2008-01-08 07:34:31 10 -c--a-w- c:\program files\.autoreg
2007-12-27 05:14:26 54330664 -c--a-w- c:\program files\iTunesSetup.exe
2008-01-08 06:56:16 168 --sha-r- c:\windows\system32\7075A88E10.sys
2009-09-07 06:59:44 2516 --sha-w- c:\windows\system32\KGyGaAvL.sys
2008-09-25 06:19:42 32768 -csha-w- c:\windows\system32\config\systemprofile\local settings\history\history.ie5\mshist012008092420080925\index.dat
2009-06-26 05:45:09 16384 --sha-w- c:\windows\temp\cookies\index.dat
2009-06-26 05:45:09 16384 --sha-w- c:\windows\temp\history\history.ie5\index.dat
2009-06-26 05:45:09 49152 --sha-w- c:\windows\temp\temporary internet files\content.ie5\index.dat

============= FINISH: 20:33:56.96 ===============

Attached Files



BC AdBot (Login to Remove)

 


#2 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:42 AM

Posted 14 December 2009 - 08:45 AM

Hello! :(
My name is Sam and I will be helping you.

In order to see what's going on with your computer I'll ask for you to post various logs from the tools that we will use to resolve your issue. Please also share with me any information about how your computer is reacting and behaving each step of the way as we work through this process.

Please download ComboFix from one of these locations:

Link 1
Link 2
Link 3

Important!
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an Malware Removal Expert, not for private use.
Using this tool incorrectly could lead to disastrous problems with your operating system such as preventing it from ever starting again.



Make sure that you save ComboFix.exe to your Desktop
  • Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools

  • Double click on ComboFix.exe & follow the prompts.

  • As part of it's process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it's strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

  • Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.
**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it's malware removal procedures.


Posted Image


Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

Posted Image


Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please copy and paste the contents of C:\ComboFix.txt in your next reply.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#3 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 14 December 2009 - 08:29 PM

Hi Sam :( . Thanks a lot for taking on my issue! Just wanted to reply to let you know that I have seen your post. I was able to download ComboFix from one of the links but apparently (as of this message) there is currently an issue going on with them so it can't be used until they have resolved a program fix. And the download I have says ComboFix is currently offline.

I'll keep checking in and hopefully it will be up and running again soon. But just wanted to confirm that I did see your post. Hope to post log results soon, thanks again!

----------------------------------------------------------

Oh, and I'd also like to update and add a few new things I have noticed my computer doing. It will not go into sleep mode, just stays on a "preparing to stand-by" screen. And I am now experiencing redirects, I click on a link from a Google search, and I am redirected to something completely different that is usually promoting several products.

Edited by geminis076, 14 December 2009 - 09:44 PM.


#4 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:42 AM

Posted 15 December 2009 - 08:13 AM

We'll proceed without Combofix for the time being.



We need to create an OTL Report
  • Please download OTL from here
  • Save it to your desktop.
  • Double click on the icon on your desktop.
  • Click the "Scan All Users" checkbox.
  • Under the Custom Scan box paste this in

    netsvcs
    %SYSTEMDRIVE%\*.exe
    /md5start
    eventlog.dll
    scecli.dll
    netlogon.dll
    cngaudit.dll
    sceclt.dll
    ntelogon.dll
    logevent.dll
    iaStor.sys
    nvstor.sys
    atapi.sys
    IdeChnDr.sys
    viasraid.sys
    AGP440.sys
    vaxscsi.sys
    nvatabus.sys
    viamraid.sys
    nvata.sys
    nvgts.sys
    iastorv.sys
    ViPrt.sys
    eNetHook.dll
    ahcix86.sys
    KR10N.sys
    /md5stop
    %systemroot%\*. /mp /s
    CREATERESTOREPOINT




  • Click the "Quick Scan" button.
  • The scan should take just a few minutes.
  • Please copy and paste both logs back here in your next reply.


=============

The next log will show us any hidden files that are present.

Download GMER from here:
  • Unzip it to the desktop.
  • Open the program and click on the Rootkit tab.
  • Make sure all the boxes on the right of the screen are checked, EXCEPT for ‘Show All’.
  • Click on Scan.
  • When the scan has run click Copy and paste the results (if any) into this thread.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#5 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 15 December 2009 - 11:14 PM

Hello, below are the 3 requested logs from the two scans. I noticed things seemed to rearrange a bit when I copied and pasted in the message body, so I've also attached the files in case they're easier to read. In the meantime, is there anything I should be avoiding? Is normal boot ok, should I disconnect my modem or avoid the internet with the exception of scans and replying to the thread? Should I not shut down and restart my computer? At the moment I'm not able to place the system on stand-by, just stays on a Preparing to Stand-by window which has never happened until this infection. I ran into a few issues after the scans, my computer became extremely slow, froze for a little, some of the icons changed in appearance, wasn't able to open or close very basic ordinary items and would receive messages saying that the data was not accessible or not enough memory to complete the command. Thanks for any info!


OTL logfile created on: 2009-12-15 17:17:36 - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\natalie\Desktop\Bleeping Comp
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

509.98 Mb Total Physical Memory | 83.73 Mb Available Physical Memory | 16.42% Memory free
1.22 Gb Paging File | 0.70 Gb Available in Paging File | 57.76% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.46 Gb Total Space | 4.77 Gb Free Space | 13.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DH7D6961
Current User Name: natalie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Processes (SafeList) ==========

PRC - [2009-12-15 17:14:26 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\natalie\Desktop\Bleeping Comp\OTL.exe
PRC - [2009-11-24 15:51:40 | 00,081,000 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashDisp.exe
PRC - [2009-11-24 15:51:35 | 00,138,680 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashServ.exe
PRC - [2009-11-24 15:51:21 | 00,254,040 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
PRC - [2009-11-24 15:48:48 | 00,352,920 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
PRC - [2009-11-24 15:43:56 | 00,018,752 | ---- | M] (ALWIL Software) -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
PRC - [2009-11-02 19:23:08 | 00,908,248 | ---- | M] (Mozilla Corporation) -- C:\Program Files\Mozilla Firefox\firefox.exe
PRC - [2009-10-11 04:17:36 | 00,149,280 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jusched.exe
PRC - [2009-10-11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) -- C:\Program Files\Java\jre6\bin\jqs.exe
PRC - [2008-11-20 13:20:54 | 00,290,088 | ---- | M] (Apple Inc.) -- C:\Program Files\iTunes2\iTunesHelper.exe
PRC - [2008-11-20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) -- C:\Program Files\iPod\bin\iPodService.exe
PRC - [2008-11-07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
PRC - [2008-10-10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe
PRC - [2008-08-29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) -- C:\Program Files\Bonjour\mDNSResponder.exe
PRC - [2008-04-13 16:12:19 | 01,033,728 | ---- | M] (Microsoft Corporation) -- C:\WINDOWS\explorer.exe
PRC - [2008-01-10 17:31:43 | 00,068,856 | ---- | M] (Google Inc.) -- C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
PRC - [2008-01-09 13:40:40 | 00,081,920 | ---- | M] (InstallShield Software Corporation) -- C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
PRC - [2008-01-09 13:40:33 | 00,368,706 | ---- | M] () -- C:\Program Files\BroadJump\Client Foundation\CFD.exe
PRC - [2008-01-09 13:40:26 | 00,086,016 | ---- | M] (Iomega) -- C:\DELL\High Speed Internet Offers\Consumer\styles\mps\Morpheus\Downloads\DriveIcons\ImgIcon.exe
PRC - [2008-01-09 13:40:20 | 00,045,056 | ---- | M] (Canon Inc.) -- C:\Program Files\Canon\BJPV\TVMon.exe
PRC - [2008-01-09 13:40:17 | 01,388,544 | ---- | M] (Analog Devices, Inc.) -- C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
PRC - [2008-01-09 13:40:15 | 00,290,816 | ---- | M] (CyberLink Corp.) -- C:\Program Files\Dell\Media Experience\PCMService.exe
PRC - [2008-01-09 13:40:12 | 00,221,184 | ---- | M] (Intel Corporation) -- C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
PRC - [2006-11-02 19:40:12 | 00,174,656 | ---- | M] () -- C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
PRC - [2006-01-17 12:03:06 | 00,135,168 | ---- | M] (Musicmatch, Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mm_tray.exe
PRC - [2006-01-17 12:03:06 | 00,053,248 | ---- | M] (Musicmatch Inc.) -- C:\Program Files\MUSICMATCH\Musicmatch Jukebox\mmtask.exe
PRC - [2002-09-24 15:39:48 | 00,151,552 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\AutoDisk\ADService.exe
PRC - [2002-09-04 13:11:04 | 00,073,728 | ---- | M] (Iomega Corporation) -- C:\Program Files\Iomega\System32\AppServices.exe


========== Modules (SafeList) ==========

MOD - [2009-12-15 17:14:26 | 00,538,112 | ---- | M] (OldTimer Tools) -- C:\Documents and Settings\natalie\Desktop\Bleeping Comp\OTL.exe
MOD - [2002-08-06 12:01:54 | 00,286,720 | ---- | M] (Iomega Corporation) -- C:\DELL\High Speed Internet Offers\Consumer\styles\mps\Morpheus\Downloads\DriveIcons\Imghook.dll


========== Win32 Services (SafeList) ==========

SRV - File not found [Disabled | Stopped] -- -- (Iomega Activity Disk2)
SRV - [2009-11-24 15:51:35 | 00,138,680 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\ashServ.exe -- (avast! Antivirus)
SRV - [2009-11-24 15:51:21 | 00,254,040 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe -- (avast! Mail Scanner)
SRV - [2009-11-24 15:48:48 | 00,352,920 | ---- | M] (ALWIL Software) [On_Demand | Running] -- C:\Program Files\Alwil Software\Avast4\ashWebSv.exe -- (avast! Web Scanner)
SRV - [2009-11-24 15:43:56 | 00,018,752 | ---- | M] (ALWIL Software) [Auto | Running] -- C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe -- (aswUpdSv)
SRV - [2009-10-11 04:17:35 | 00,153,376 | ---- | M] (Sun Microsystems, Inc.) [Auto | Running] -- C:\Program Files\Java\jre6\bin\jqs.exe -- (JavaQuickStarterService)
SRV - [2009-03-24 12:24:56 | 00,183,280 | ---- | M] (Google) [Auto | Stopped] -- C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe -- (gusvc)
SRV - [2009-01-21 18:27:35 | 00,655,624 | ---- | M] (Acresso Software Inc.) [On_Demand | Stopped] -- C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe -- (FLEXnet Licensing Service)
SRV - [2008-11-20 13:20:44 | 00,536,872 | ---- | M] (Apple Inc.) [On_Demand | Running] -- C:\Program Files\iPod\bin\iPodService.exe -- (iPod Service)
SRV - [2008-11-07 14:28:16 | 00,132,424 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe -- (Apple Mobile Device)
SRV - [2008-10-10 05:45:26 | 00,013,088 | ---- | M] (Intuit Inc.) [Auto | Running] -- C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe -- (IntuitUpdateService)
SRV - [2008-08-29 10:18:44 | 00,238,888 | ---- | M] (Apple Inc.) [Auto | Running] -- C:\Program Files\Bonjour\mDNSResponder.exe -- (Bonjour Service)
SRV - [2006-11-02 19:40:12 | 00,174,656 | ---- | M] () [Auto | Running] -- C:\Program Files\Common Files\Protexis\License Service\PSIService.exe -- (ProtexisLicensing)
SRV - [2005-04-03 23:41:10 | 00,069,632 | ---- | M] (Macrovision Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe -- (IDriverT)
SRV - [2004-10-29 01:20:54 | 00,053,337 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe -- (PACSPTISVR)
SRV - [2004-10-29 01:18:24 | 00,069,718 | ---- | M] (Sony Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe -- (SPTISRV)
SRV - [2004-08-04 03:00:00 | 00,295,424 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\WINDOWS\SYSTEM32\termsrv32.dll -- (TermService)
SRV - [2003-12-17 11:59:48 | 00,143,360 | ---- | M] (Intel® Corporation) [On_Demand | Stopped] -- C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe -- (NetSvc)
SRV - [2003-07-28 10:28:22 | 00,089,136 | ---- | M] (Microsoft Corporation) [On_Demand | Stopped] -- C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE -- (ose)
SRV - [2002-09-24 15:39:48 | 00,151,552 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\AutoDisk\ADService.exe -- (_IOMEGA_ACTIVE_DISK_SERVICE_)
SRV - [2002-09-04 13:11:04 | 00,073,728 | ---- | M] (Iomega Corporation) [Auto | Running] -- C:\Program Files\Iomega\System32\AppServices.exe -- (Iomega App Services)


========== Standard Registry (SafeList) ==========


========== Internet Explorer ==========

IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Local Page = %SystemRoot%\system32\blank.htm
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,CustomSearch = http://red.clientapps.yahoo.com/customize/.../search/ie.html
IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.google.com/ie


IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\.DEFAULT\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,First Home Page = http://www.dell4me.com/myway
IE - HKU\S-1-5-18\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0


IE - HKU\S-1-5-20\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0

IE - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultName = Google
IE - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Internet Explorer\Main,SearchMigratedDefaultURL = http://www.google.com/search?q={searchTerms}
IE - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
IE - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..\URLSearchHook: {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
IE - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\S-1-5-21-1720846278-4117750427-1760893729-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyEnable" = 0
IE - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\S-1-5-21-1720846278-4117750427-1760893729-1006\Software\Microsoft\Windows\CurrentVersion\Internet Settings: "ProxyOverride" = 127.0.0.1;*.local

========== FireFox ==========

FF - prefs.js..browser.startup.homepage: "http://www.yahoo.com/"
FF - prefs.js..extensions.enabledItems: jqs@sun.com:1.0
FF - prefs.js..network.proxy.no_proxies_on: "127.0.0.1"

FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Components: C:\Program Files\Mozilla Firefox\components [2009-12-13 22:54:46 | 00,000,000 | ---D | M]
FF - HKLM\software\mozilla\Mozilla Firefox 3.5.5\extensions\\Plugins: C:\Program Files\Mozilla Firefox\plugins [2009-12-13 18:58:51 | 00,000,000 | ---D | M]

[2009-07-10 13:03:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Mozilla\Extensions
[2009-07-10 13:03:15 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Mozilla\Extensions\home2@tomtom.com
[2009-12-15 17:16:23 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Mozilla\Firefox\Profiles\mdfkcawc.default\extensions
[2009-12-15 17:16:23 | 00,000,000 | ---D | M] -- C:\Program Files\Mozilla Firefox\extensions
[2007-06-30 23:25:10 | 00,000,000 | ---D | M] (Google Toolbar for Firefox) -- C:\Program Files\Mozilla Firefox\extensions\{3112ca9c-de6d-4884-a869-9855de68056c}
[2008-06-17 22:43:04 | 00,086,016 | ---- | M] (Coupons, Inc.) -- C:\Program Files\Mozilla Firefox\plugins\npCouponPrinter.dll
[2006-01-18 12:50:00 | 00,319,488 | ---- | M] ( ) -- C:\Program Files\Mozilla Firefox\plugins\npsnapfish.dll

O1 HOSTS File: (27 bytes) - C:\WINDOWS\SYSTEM32\DRIVERS\ETC\hosts
O1 - Hosts: 127.0.0.1 localhost
O2 - BHO: (&Yahoo! Toolbar Helper) - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O2 - BHO: (Adobe PDF Reader Link Helper) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated)
O2 - BHO: (no name) - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - No CLSID value found.
O2 - BHO: (Yahoo! IE Services Button) - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O2 - BHO: (Google Toolbar Helper) - {AA58ED58-01DD-4d91-8333-CF10577473F7} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.4.4525.1752\swg.dll (Google Inc.)
O2 - BHO: (Java™ Plug-In 2 SSV Helper) - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll (Sun Microsystems, Inc.)
O2 - BHO: (JQSIEStartDetectorImpl Class) - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll (Sun Microsystems, Inc.)
O2 - BHO: (SidebarAutoLaunch Class) - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll (Yahoo! Inc.)
O3 - HKLM\..\Toolbar: (Google Toolbar) - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKLM\..\Toolbar: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O3 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..\Toolbar\WebBrowser: (Google Toolbar) - {2318C2B1-4965-11D4-9B18-009027A5CD4F} - C:\Program Files\Google\Google Toolbar\GoogleToolbar_32.dll (Google Inc.)
O3 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..\Toolbar\WebBrowser: (Yahoo! Toolbar) - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll (Yahoo! Inc.)
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated)
O4 - HKLM..\Run: [avast!] C:\Program Files\Alwil Software\Avast4\ashDisp.exe (ALWIL Software)
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe ()
O4 - HKLM..\Run: [BJPD HID Control] C:\Program Files\Canon\BJPV\TVMon.exe (Canon Inc.)
O4 - HKLM..\Run: [Deskup] C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\deskup.exe (Iomega)
O4 - HKLM..\Run: [igfxtray] C:\WINDOWS\SYSTEM32\igfxtray.exe (Intel Corporation)
O4 - HKLM..\Run: [IntelMeM] C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe (Intel Corporation)
O4 - HKLM..\Run: [Iomega Drive Icons] C:\DELL\High Speed Internet Offers\Consumer\styles\mps\Morpheus\Downloads\DriveIcons\ImgIcon.exe (Iomega)
O4 - HKLM..\Run: [ISUSPM Startup] C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [ISUSScheduler] C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe (InstallShield Software Corporation)
O4 - HKLM..\Run: [iTunesHelper] C:\Program Files\iTunes2\iTunesHelper.exe (Apple Inc.)
O4 - HKLM..\Run: [KernelFaultCheck] File not found
O4 - HKLM..\Run: [mmtask] C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe (Musicmatch Inc.)
O4 - HKLM..\Run: [MMTray] C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe (Musicmatch, Inc.)
O4 - HKLM..\Run: [PCMService] C:\Program Files\Dell\Media Experience\PCMService.exe (CyberLink Corp.)
O4 - HKLM..\Run: [QuickTime Task] C:\Program Files\QuickTime\qttask.exe (Apple Inc.)
O4 - HKLM..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe (Analog Devices, Inc.)
O4 - HKLM..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre6\bin\jusched.exe (Sun Microsystems, Inc.)
O4 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe (Adobe Systems Incorporated)
O4 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe (Google Inc.)
O4 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006..\Run: [Yahoo! Pager] File not found
O4 - Startup: C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.)
O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoCDBurning = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 227
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: HonorAutoRunSetting = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\.DEFAULT\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-18\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: CDRAutoRun = 0
O7 - HKU\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-19\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-19_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 145
O7 - HKU\S-1-5-20_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveTypeAutoRun = 323
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDriveAutoRun = 67108863
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer: NoDrives = 0
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLegacyLogonScripts = 0
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideLogoffScripts = 0
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: HideStartupScripts = 0
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunLogonScriptSync = 1
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\System: RunStartupScriptSync = 0
O7 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006_Classes\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra Button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra 'Tools' menuitem : Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\Program Files\Microsoft ActiveSync\INetRepl.dll (Microsoft Corporation)
O9 - Extra Button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (Yahoo! Inc.)
O9 - Extra 'Tools' menuitem : Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe ()
O9 - Extra Button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - File not found
O10 - NameSpace_Catalog5\Catalog_Entries\000000000004 [] - C:\Program Files\Bonjour\mdnsNSP.dll (Apple Inc.)
O15 - HKLM\..Trusted Domains: 1 domain(s) and sub-domain(s) not assigned to a zone.
O15 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..Trusted Domains: aol.com ([objects] * is out of zone range - 5)
O15 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..Trusted Domains: geekstogo.com ([www] * in Trusted sites)
O15 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..Trusted Domains: turbotax.com ([]http in Trusted sites)
O15 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..Trusted Domains: turbotax.com ([]https in Trusted sites)
O15 - HKU\S-1-5-21-1720846278-4117750427-1760893729-1006\..Trusted Domains: 2 domain(s) and sub-domain(s) not assigned to a zone.
O16 - DPF: {0B79F48A-E8D6-11DB-9283-E25056D89593} http://support.f-secure.com/ols/fscax.cab (F-Secure Online Scanner 3.1)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab (CKAVWebScan Object)
O16 - DPF: {231B1C6E-F934-42A2-92B6-C2FEFEC24276} C:\Program Files\Yahoo!\common\yucconfig.dll (yucsetreg Class)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} C:\Program Files\Yahoo!\Common\Yinsthelper.dll (Installation Support)
O16 - DPF: {341FF14B-00CB-49F5-A427-A164DF1D5E1F} http://musicstore.connect.com/assets/activ...ALStreaming.cab (MALPlaybackCtrl Class)
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} http://tools.ebayimg.com/eps/wl/activex/EP...l_v1-0-3-17.cab (EPUImageControl Class)
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} http://download.bitdefender.com/resources/scan8/oscan8.cab (BDSCANONLINE Control)
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._1/axofupld.cab (Ofoto Upload Manager Class)
O16 - DPF: {6F750202-1362-4815-A476-88533DE61D0C} http://www.kodakgallery.com/downloads/BUM/..._2/axofupld.cab (Kodak Gallery Easy Upload Manager Class)
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} http://fpdownload.macromedia.com/get/flash...t/ultrashim.cab (Reg Error: Key error.)
O16 - DPF: {9600F64D-755F-11D4-A47F-0001023E6D5A} http://web1.shutterfly.com/downloads/Uploader.cab (Shutterfly Picture Upload Plugin)
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} http://acs.pandasoftware.com/activescan/as5free/asinst.cab (ActiveScan Installer Class)
O16 - DPF: {CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA} Reg Error: Value error. (Reg Error: Key error.)
O16 - DPF: {CAFEEFAC-0016-0000-0017-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} http://java.sun.com/update/1.6.0/jinstall-...indows-i586.cab (Java Plug-in 1.6.0_17)
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} http://fpdownload.macromedia.com/pub/shock...ash/swflash.cab (Shockwave Flash Object)
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} http://pdl.stream.aol.com/downloads/aol/unagi/ampx_en_dl.cab (IWinAmpActiveX Class)
O16 - DPF: Microsoft XML Parser for Java file://C:\WINDOWS\Java\classes\xmldso.cab (Reg Error: Key error.)
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.0.1 192.168.0.1
O18 - Protocol\Handler\linkscanner {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - Reg Error: Key error. File not found
O20 - HKLM Winlogon: Shell - (Explorer.exe) - C:\WINDOWS\explorer.exe (Microsoft Corporation)
O20 - Winlogon\Notify\avgrsstarter: DllName - avgrsstx.dll - File not found
O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\WINDOWS\System32\igfxdev.dll (Intel Corporation)
O28 - HKLM ShellExecuteHooks: {5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} - C:\Program Files\SUPERAntiSpyware\SASSEH.DLL (SuperAdBlocker.com)
O29 - HKLM SecurityProviders - (digeste.dll) - File not found
O32 - HKLM CDRom: AutoRun - 1
O32 - AutoRun File - [2004-08-10 11:04:08 | 00,000,000 | ---- | M] () - C:\AUTOEXEC.BAT -- [ NTFS ]
O33 - MountPoints2\{9ebb7e7e-825d-11db-9882-00038a000015}\Shell - "" = AutoRun
O33 - MountPoints2\{9ebb7e7e-825d-11db-9882-00038a000015}\Shell\AutoRun - "" = Auto&Play
O33 - MountPoints2\{9ebb7e7e-825d-11db-9882-00038a000015}\Shell\AutoRun\command - "" = E:\LaunchU3.exe -- File not found
O33 - MountPoints2\{9ebb7e80-825d-11db-9882-00038a000015}\Shell\AutoRun\command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{9ebb7e80-825d-11db-9882-00038a000015}\Shell\Shell00\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{9ebb7e80-825d-11db-9882-00038a000015}\Shell\Shell01\Command - "" = G:\Autorun.exe -- File not found
O33 - MountPoints2\{9ebb7e80-825d-11db-9882-00038a000015}\Shell\Shell02\Command - "" = G:\Autorun.exe -- File not found
O34 - HKLM BootExecute: (autocheck autochk *) - File not found
O35 - comfile [open] -- "%1" %*
O35 - exefile [open] -- "%1" %*

NetSvcs: 6to4 - File not found
NetSvcs: Ias - C:\WINDOWS\SYSTEM32\IAS [2004-12-11 16:14:24 | 00,000,000 | ---D | M]
NetSvcs: Iprip - File not found
NetSvcs: Irmon - File not found
NetSvcs: NWCWorkstation - File not found
NetSvcs: Nwsapagent - File not found
NetSvcs: Wmi - C:\WINDOWS\SYSTEM32\wmi.dll (Microsoft Corporation)
NetSvcs: WmdmPmSp - File not found

CREATERESTOREPOINT
Restore point Set: OTL Restore Point (16891947461378048)

========== Files/Folders - Created Within 14 Days ==========

[2009-12-14 18:38:58 | 00,000,000 | ---D | C] -- C:\Documents and Settings\natalie\My Documents\photoeditor.aspx_files
[2009-12-13 20:29:54 | 00,000,000 | ---D | C] -- C:\Documents and Settings\natalie\Desktop\Bleeping Comp
[2009-06-18 20:24:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\NetworkService\Application Data\Microsoft
[2009-06-18 20:24:03 | 00,000,000 | --SD | M] -- C:\Documents and Settings\LocalService\Application Data\Microsoft
[2009-06-18 20:24:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft
[2009-06-18 20:24:03 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft
[2008-09-15 10:43:50 | 00,047,360 | ---- | C] (VSO Software) -- C:\Documents and Settings\natalie\Application Data\pcouffin.sys
[2008-01-09 08:10:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\NetworkService\Local Settings\Application Data\Apple
[2007-12-26 21:13:37 | 54,330,664 | ---- | C] (Apple Inc.) -- C:\Program Files\iTunesSetup.exe
[2007-10-14 12:10:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\yahoo!
[2005-02-03 11:54:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\Macromedia
[2004-12-24 19:59:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\LocalService\Application Data\McAfee.com Personal Firewall
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files - Modified Within 14 Days ==========

[2009-12-15 17:05:56 | 00,002,206 | ---- | M] () -- C:\WINDOWS\System32\WPA.DBL
[2009-12-15 17:05:22 | 00,000,868 | ---- | M] () -- C:\WINDOWS\tasks\Google Software Updater.job
[2009-12-15 17:05:02 | 00,000,006 | -H-- | M] () -- C:\WINDOWS\tasks\SA.DAT
[2009-12-15 17:04:35 | 00,002,048 | --S- | M] () -- C:\WINDOWS\BOOTSTAT.DAT
[2009-12-15 17:04:34 | 53,482,7008 | -HS- | M] () -- C:\hiberfil.sys
[2009-12-15 09:45:18 | 10,485,760 | ---- | M] () -- C:\Documents and Settings\natalie\NTUSER.DAT
[2009-12-15 09:44:19 | 00,000,278 | -HS- | M] () -- C:\Documents and Settings\natalie\NTUSER.INI
[2009-12-14 18:39:10 | 00,093,527 | ---- | M] () -- C:\Documents and Settings\natalie\My Documents\photoeditor.aspx.htm
[2009-12-13 19:41:15 | 00,110,592 | ---- | M] () -- C:\Documents and Settings\natalie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2009-12-13 18:58:55 | 00,001,602 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009-12-11 22:18:23 | 00,000,821 | ---- | M] () -- C:\Documents and Settings\natalie\My Documents\Dec 11 2009.rtf
[2009-12-11 00:19:59 | 00,002,141 | ---- | M] () -- C:\Documents and Settings\All Users\Desktop\iTunes.lnk
[2009-12-10 21:32:48 | 00,002,429 | ---- | M] () -- C:\Documents and Settings\natalie\Desktop\WordPerfect.lnk
[2009-12-09 13:13:05 | 00,000,676 | ---- | M] () -- C:\Documents and Settings\natalie\My Documents\Dec 9 2009.rtf
[2009-12-09 13:10:36 | 00,001,335 | ---- | M] () -- C:\Documents and Settings\natalie\My Documents\Dec 03 2009.rtf
[2009-12-09 12:37:41 | 00,442,466 | ---- | M] () -- C:\WINDOWS\System32\PERFH009.DAT
[2009-12-09 12:37:41 | 00,071,732 | ---- | M] () -- C:\WINDOWS\System32\PERFC009.DAT
[2009-12-09 12:37:39 | 00,524,016 | ---- | M] () -- C:\WINDOWS\System32\PerfStringBackup.INI
[2009-12-05 14:42:13 | 00,002,626 | ---- | M] () -- C:\WINDOWS\System32\CONFIG.NT
[2009-12-05 01:02:24 | 00,006,683 | ---- | M] () -- C:\Documents and Settings\natalie\My Documents\OfficeMax_decal_instructions.rtf
[2009-12-03 16:16:24 | 00,001,587 | ---- | M] () -- C:\Documents and Settings\natalie\My Documents\Nov 29 2009.rtf
[2009-12-03 16:14:06 | 00,038,224 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbamswissarmy.sys
[2009-12-03 16:13:56 | 00,019,160 | ---- | M] (Malwarebytes Corporation) -- C:\WINDOWS\System32\drivers\mbam.sys
[3 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp -> ]
[1 C:\WINDOWS\*.tmp files -> C:\WINDOWS\*.tmp -> ]

========== Files Created - No Company Name ==========

[2009-12-14 19:12:05 | 53,482,7008 | -HS- | C] () -- C:\hiberfil.sys
[2009-12-14 18:38:54 | 00,093,527 | ---- | C] () -- C:\Documents and Settings\natalie\My Documents\photoeditor.aspx.htm
[2009-12-13 18:58:55 | 00,001,602 | ---- | C] () -- C:\Documents and Settings\All Users\Desktop\Mozilla Firefox.lnk
[2009-12-12 23:54:29 | 00,001,532 | ---- | C] () -- C:\Documents and Settings\natalie\Desktop\Disk Cleanup.lnk
[2009-12-11 15:07:08 | 00,000,821 | ---- | C] () -- C:\Documents and Settings\natalie\My Documents\Dec 11 2009.rtf
[2009-12-09 13:13:05 | 00,000,676 | ---- | C] () -- C:\Documents and Settings\natalie\My Documents\Dec 9 2009.rtf
[2009-12-03 23:23:15 | 00,001,335 | ---- | C] () -- C:\Documents and Settings\natalie\My Documents\Dec 03 2009.rtf
[2009-05-07 12:17:11 | 00,000,050 | ---- | C] () -- C:\WINDOWS\MegaManager.INI
[2008-09-15 10:43:50 | 00,007,887 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\pcouffin.cat
[2008-09-15 10:43:50 | 00,001,144 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\pcouffin.inf
[2008-09-15 10:43:50 | 00,000,055 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\pcouffin.log
[2008-06-04 00:48:07 | 00,000,722 | ---- | C] () -- C:\WINDOWS\cdPlayer.ini
[2008-01-13 15:29:29 | 00,011,776 | ---- | C] () -- C:\WINDOWS\System32\ZPORT4AS.dll
[2008-01-09 03:26:19 | 00,000,129 | ---- | C] () -- C:\WINDOWS\System32\MRT.INI
[2008-01-07 23:34:31 | 00,000,010 | ---- | C] () -- C:\Program Files\.autoreg
[2007-11-30 22:54:12 | 00,000,022 | ---- | C] () -- C:\Documents and Settings\natalie\Local Settings\Application Data\kodakpcd.ini
[2007-10-28 11:40:34 | 00,000,443 | ---- | C] () -- C:\WINDOWS\capture.ini
[2007-08-23 17:30:00 | 00,007,680 | ---- | C] () -- C:\WINDOWS\System32\ff_vfw.dll
[2007-08-18 23:32:49 | 00,000,168 | RHS- | C] () -- C:\WINDOWS\System32\7075A88E10.sys
[2007-08-18 23:27:33 | 00,002,516 | -HS- | C] () -- C:\WINDOWS\System32\KGyGaAvL.sys
[2007-08-18 21:30:58 | 00,210,944 | ---- | C] () -- C:\WINDOWS\System32\Msvcrt10.dll
[2007-06-18 22:29:35 | 00,001,146 | ---- | C] () -- C:\WINDOWS\pstudio.ini
[2007-06-18 22:29:35 | 00,000,028 | ---- | C] () -- C:\WINDOWS\album.ini
[2007-06-18 22:29:34 | 00,000,021 | ---- | C] () -- C:\WINDOWS\Ps_setup.ini
[2007-04-01 18:06:11 | 00,000,350 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\wklnhst.dat
[2007-02-09 15:42:28 | 00,000,620 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\AutoGK.ini
[2007-01-16 18:53:45 | 00,065,536 | ---- | C] () -- C:\WINDOWS\System32\YCRWin32.dll
[2007-01-12 15:55:26 | 00,000,002 | ---- | C] () -- C:\WINDOWS\msoffice.ini
[2006-12-08 04:50:14 | 00,217,088 | ---- | C] () -- C:\WINDOWS\System32\xvidvfw.dll
[2006-12-08 04:47:54 | 01,159,168 | ---- | C] () -- C:\WINDOWS\System32\xvidcore.dll
[2006-09-29 17:59:29 | 00,000,000 | ---- | C] () -- C:\WINDOWS\SETUP32.INI
[2006-09-23 19:42:53 | 00,000,000 | ---- | C] () -- C:\WINDOWS\Mavis Beacon Teaches Typing.INI
[2006-07-06 13:26:33 | 00,000,032 | ---- | C] () -- C:\WINDOWS\WinInit.ini.backup
[2006-03-31 11:48:24 | 03,271,964 | ---- | C] () -- C:\WINDOWS\System32\symbeans.dll
[2006-03-31 11:48:22 | 00,374,300 | ---- | C] () -- C:\WINDOWS\System32\snjwindows.dll
[2006-03-31 11:48:22 | 00,357,916 | ---- | C] () -- C:\WINDOWS\System32\snjwindows11.dll
[2006-03-31 11:48:21 | 04,544,540 | ---- | C] () -- C:\WINDOWS\System32\snjswing11.dll
[2006-03-31 11:48:19 | 04,170,268 | ---- | C] () -- C:\WINDOWS\System32\snjswing.dll
[2006-03-31 11:48:18 | 00,573,980 | ---- | C] () -- C:\WINDOWS\System32\snjmotif.dll
[2006-03-31 11:48:18 | 00,560,156 | ---- | C] () -- C:\WINDOWS\System32\snjmotif11.dll
[2006-03-31 11:48:18 | 00,152,604 | ---- | C] () -- C:\WINDOWS\System32\snjmulti11.dll
[2006-03-31 11:48:18 | 00,152,604 | ---- | C] () -- C:\WINDOWS\System32\snjmulti.dll
[2006-03-31 11:48:17 | 01,858,012 | ---- | C] () -- C:\WINDOWS\System32\dbaw_awtbase.dll
[2006-03-31 11:48:17 | 00,566,812 | ---- | C] () -- C:\WINDOWS\System32\sfc103.dll
[2006-03-31 11:48:17 | 00,492,572 | ---- | C] () -- C:\WINDOWS\System32\sfc11.dll
[2006-03-31 11:48:17 | 00,344,604 | ---- | C] () -- C:\WINDOWS\System32\sfcbase.dll
[2006-03-31 11:48:16 | 00,666,500 | ---- | C] () -- C:\WINDOWS\System32\dbaw_awt11.dll
[2006-03-31 11:48:16 | 00,658,732 | ---- | C] () -- C:\WINDOWS\System32\dbaw_awt103.dll
[2006-03-31 11:48:16 | 00,607,552 | ---- | C] () -- C:\WINDOWS\System32\dbawjnet.dll
[2006-03-31 11:48:16 | 00,538,432 | ---- | C] () -- C:\WINDOWS\System32\dbawjpro.dll
[2006-03-31 11:48:16 | 00,305,468 | ---- | C] () -- C:\WINDOWS\System32\dbawjdbc.dll
[2006-03-31 11:48:15 | 02,855,740 | ---- | C] () -- C:\WINDOWS\System32\databindbase.dll
[2006-03-31 11:48:15 | 00,611,244 | ---- | C] () -- C:\WINDOWS\System32\databind11.dll
[2006-03-31 11:48:14 | 00,612,884 | ---- | C] () -- C:\WINDOWS\System32\databind103.dll
[2006-03-30 22:43:51 | 00,001,356 | ---- | C] () -- C:\Documents and Settings\All Users\Application Data\QTSBandwidthCache
[2005-11-12 15:18:19 | 00,000,754 | ---- | C] () -- C:\WINDOWS\WORDPAD.INI
[2005-11-10 21:07:54 | 00,002,508 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\$_hpcst$.hpc
[2005-11-10 21:01:49 | 00,000,376 | ---- | C] () -- C:\WINDOWS\ODBC.INI
[2005-04-04 10:36:16 | 00,000,030 | ---- | C] () -- C:\WINDOWS\morphexe.INI
[2005-04-02 23:07:04 | 00,000,045 | ---- | C] () -- C:\WINDOWS\JGJIFMMN.ini
[2005-03-09 14:24:49 | 00,044,544 | ---- | C] () -- C:\WINDOWS\System32\gif89.dll
[2005-03-09 14:24:36 | 00,000,509 | ---- | C] () -- C:\WINDOWS\SIERRA.INI
[2005-03-01 14:30:20 | 00,000,453 | ---- | C] () -- C:\WINDOWS\bdoscandellang.ini
[2005-02-28 17:30:45 | 00,000,111 | ---- | C] () -- C:\WINDOWS\ka.ini
[2005-02-28 13:26:25 | 00,000,306 | ---- | C] () -- C:\WINDOWS\QTW.INI
[2005-02-22 22:38:48 | 00,110,592 | ---- | C] () -- C:\Documents and Settings\natalie\Local Settings\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
[2005-01-04 12:53:44 | 00,061,678 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\PFP120JPR.{PB
[2005-01-04 12:53:44 | 00,012,358 | ---- | C] () -- C:\Documents and Settings\natalie\Application Data\PFP120JCM.{PB
[2004-12-28 12:41:22 | 00,000,032 | ---- | C] () -- C:\WINDOWS\WinInit.ini
[2004-12-28 00:30:01 | 00,006,656 | ---- | C] () -- C:\WINDOWS\System32\CNMVS5e.DLL
[2004-12-27 14:07:52 | 00,019,968 | ---- | C] () -- C:\WINDOWS\System32\Cpuinf32.dll
[2004-12-11 16:52:34 | 00,000,061 | ---- | C] () -- C:\WINDOWS\smscfg.ini
[2004-12-11 16:17:08 | 00,000,520 | ---- | C] () -- C:\WINDOWS\System32\OEMINFO.INI
[2004-08-10 11:13:12 | 00,000,780 | ---- | C] () -- C:\WINDOWS\ORUN32.INI
[2004-08-04 03:00:00 | 00,001,793 | ---- | C] () -- C:\WINDOWS\System32\FXSPERF.INI
[2002-10-15 14:54:04 | 00,153,088 | ---- | C] () -- C:\WINDOWS\System32\unrar.dll
[2001-10-24 16:00:40 | 00,524,288 | ---- | C] () -- C:\WINDOWS\System32\TDI-SonyOMG.dll
[1979-12-31 22:00:00 | 00,012,288 | ---- | C] () -- C:\WINDOWS\System32\e100bmsg.dll

========== LOP Check ==========

[2006-09-23 19:46:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund
[2007-01-12 16:19:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Broderbund LLC
[2008-09-24 22:27:39 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Grisoft
[2006-10-30 20:22:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Napster
[2008-06-04 12:07:30 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\RapidSolution
[2008-01-08 21:21:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\TEMP
[2005-05-10 16:53:33 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\Viewpoint
[2009-01-05 01:41:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
[2006-07-06 13:36:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Active Disk
[2006-09-23 19:45:16 | 00,000,000 | -H-D | M] -- C:\Documents and Settings\natalie\Application Data\Broderbund
[2009-11-05 00:14:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Canon
[2008-01-20 14:17:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\eFax Messenger
[2009-05-12 00:44:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\FileMaker
[2009-01-21 18:31:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\FileMaker Pro
[2009-05-12 00:53:43 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\FileMaker Pro Advanced
[2007-08-23 22:57:11 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Flickr
[2008-06-02 00:22:46 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\FrostWire
[2007-07-16 23:13:20 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Grisoft
[2009-07-26 22:52:27 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\ImTOO Software Studio
[2009-03-26 17:53:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\JGoodies
[2009-01-22 22:56:22 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Leadertech
[2007-06-19 15:14:35 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Morpheus
[2008-06-03 01:20:05 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Musicmatch
[2009-02-03 17:18:51 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\OpenOffice.org
[2009-03-07 22:33:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\PhotoStudio Expressions
[2007-08-22 13:22:59 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\SignGoLiteFD
[2007-11-25 00:01:31 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Snapfish
[2007-04-02 13:29:57 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Template
[2009-07-10 13:03:02 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\TomTom
[2008-06-04 11:37:10 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Tunebite
[2009-12-11 23:18:49 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\uTorrent
[2007-03-24 23:07:13 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Viewpoint
[2008-09-15 10:43:50 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Vso
[2008-12-16 19:55:09 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\W Photo Studio Viewer
[2009-04-13 01:32:28 | 00,000,000 | ---D | M] -- C:\Documents and Settings\natalie\Application Data\Xilisoft Corporation

========== Purity Check ==========



========== Custom Scans ==========


< %SYSTEMDRIVE%\*.exe >
[2005-12-26 09:43:34 | 00,010,920 | ---- | M] () -- C:\aolconnfix.exe


< MD5 for: AGP440.SYS >
[2008-04-13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\ServicePackFiles\i386\agp440.sys
[2008-04-13 10:36:38 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=08FD04AA961BDC77FB983F328334E3D7 -- C:\WINDOWS\SYSTEM32\DRIVERS\agp440.sys
[2004-08-03 21:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\I386\AGP440.SYS
[2004-08-03 21:07:42 | 00,042,368 | ---- | M] (Microsoft Corporation) MD5=2C428FA0C3E3A01ED93C9B2A27D8D4BB -- C:\WINDOWS\$NtServicePackUninstall$\agp440.sys

< MD5 for: ATAPI.SYS >
[2008-04-13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\ServicePackFiles\i386\atapi.sys
[2008-04-13 10:40:30 | 00,096,512 | ---- | M] (Microsoft Corporation) MD5=9F3A2F5AA6875C72BF062C712CFA2674 -- C:\WINDOWS\SYSTEM32\DRIVERS\atapi.sys
[2004-08-03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\I386\atapi.sys
[2004-08-03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\$NtServicePackUninstall$\atapi.sys
[2004-08-03 20:59:44 | 00,095,360 | ---- | M] (Microsoft Corporation) MD5=CDFE4411A69C224BD1D11B2DA92DAC51 -- C:\WINDOWS\SYSTEM32\ReinstallBackups\0005\DriverFiles\i386\atapi.sys

< MD5 for: EVENTLOG.DLL >
[2008-04-13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\ServicePackFiles\i386\eventlog.dll
[2008-04-13 16:11:53 | 00,056,320 | ---- | M] (Microsoft Corporation) MD5=6D4FEB43EE538FC5428CC7F0565AA656 -- C:\WINDOWS\SYSTEM32\eventlog.dll
[2004-08-04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\I386\EVENTLOG.DLL
[2004-08-04 03:00:00 | 00,055,808 | ---- | M] (Microsoft Corporation) MD5=82B24CB70E5944E6E34662205A2A5B78 -- C:\WINDOWS\$NtServicePackUninstall$\eventlog.dll

< MD5 for: NETLOGON.DLL >
[2008-04-13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\ServicePackFiles\i386\netlogon.dll
[2008-04-13 16:12:01 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=1B7F071C51B77C272875C3A23E1E4550 -- C:\WINDOWS\SYSTEM32\netlogon.dll
[2004-08-04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\I386\NETLOGON.DLL
[2004-08-04 03:00:00 | 00,407,040 | ---- | M] (Microsoft Corporation) MD5=96353FCECBA774BB8DA74A1C6507015A -- C:\WINDOWS\$NtServicePackUninstall$\netlogon.dll

< MD5 for: SCECLI.DLL >
[2004-08-04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\I386\SCECLI.DLL
[2004-08-04 03:00:00 | 00,180,224 | ---- | M] (Microsoft Corporation) MD5=0F78E27F563F2AAF74B91A49E2ABF19A -- C:\WINDOWS\$NtServicePackUninstall$\scecli.dll
[2008-04-13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\ServicePackFiles\i386\scecli.dll
[2008-04-13 16:12:05 | 00,181,248 | ---- | M] (Microsoft Corporation) MD5=A86BB5E61BF3E39B62AB4C7E7085A084 -- C:\WINDOWS\SYSTEM32\scecli.dll

< %systemroot%\*. /mp /s >

========== Files - Unicode (All) ==========
[2009-04-01 21:11:10 | 00,000,000 | ---D | M](C:\Docum??) -- C:\DocumҶ
[2009-04-01 21:11:10 | 00,000,000 | ---D | C](C:\Docum??) -- C:\DocumҶ

========== Alternate Data Streams ==========

@Alternate Data Stream - 117 bytes -> C:\Documents and Settings\All Users\Application Data\TEMP:2615E8F1
< End of report >


OTL Extras logfile created on: 2009-12-15 17:17:36 - Run 1
OTL by OldTimer - Version 3.1.17.0 Folder = C:\Documents and Settings\natalie\Desktop\Bleeping Comp
Windows XP Home Edition Service Pack 3 (Version = 5.1.2600) - Type = NTWorkstation
Internet Explorer (Version = 7.0.5730.13)
Locale: 00000409 | Country: United States | Language: ENU | Date Format: yyyy-MM-dd

509.98 Mb Total Physical Memory | 83.73 Mb Available Physical Memory | 16.42% Memory free
1.22 Gb Paging File | 0.70 Gb Available in Paging File | 57.76% Paging File free
Paging file location(s): C:\pagefile.sys 768 1536 [binary data]

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 34.46 Gb Total Space | 4.77 Gb Free Space | 13.84% Space Free | Partition Type: NTFS
D: Drive not present or media not loaded
E: Drive not present or media not loaded
F: Drive not present or media not loaded
G: Drive not present or media not loaded
H: Drive not present or media not loaded
I: Drive not present or media not loaded

Computer Name: DH7D6961
Current User Name: natalie
Logged in as Administrator.

Current Boot Mode: Normal
Scan Mode: All users
Company Name Whitelist: On
Skip Microsoft Files: On
File Age = 14 Days
Output = Standard
Quick Scan

========== Extra Registry (SafeList) ==========


========== File Associations ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<extension>]
.html [@ = htmlfile] -- C:\Program Files\Internet Explorer\IEXPLORE.EXE (Microsoft Corporation)

[HKEY_USERS\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Classes\<extension>]
.html [@ = FirefoxHTML] -- C:\Program Files\Mozilla Firefox\firefox.exe (Mozilla Corporation)

========== Shell Spawning ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\<key>\shell\[command]\command]
batfile [open] -- "%1" %*
cmdfile [open] -- "%1" %*
comfile [open] -- "%1" %*
exefile [open] -- "%1" %*
htmlfile [edit] -- "C:\Program Files\Microsoft Office\OFFICE11\msohtmed.exe" %1 File not found
htmlfile [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
htmlfile [opennew] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
http [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
https [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome (Microsoft Corporation)
piffile [open] -- "%1" %*
regfile [merge] -- Reg Error: Key error.
scrfile [config] -- "%1"
scrfile [install] -- rundll32.exe desk.cpl,InstallScreenSaver %l (Microsoft Corporation)
scrfile [open] -- "%1" /S
txtfile [edit] -- Reg Error: Key error.
Unknown [openas] -- %SystemRoot%\system32\rundll32.exe %SystemRoot%\system32\shell32.dll,OpenAs_RunDLL %1
Directory [Browse with Paint Shop Pro Studio] -- "C:\Program Files\Jasc Software Inc\Paint Shop Pro Studio\\Paint Shop Pro Studio.exe" "/Browse" "%L" (Jasc Software, Inc.)
Directory [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Folder [open] -- %SystemRoot%\Explorer.exe /idlist,%I,%L (Microsoft Corporation)
Folder [explore] -- %SystemRoot%\Explorer.exe /e,/idlist,%I,%L (Microsoft Corporation)
Drive [find] -- %SystemRoot%\Explorer.exe (Microsoft Corporation)
Applications\iexplore.exe [open] -- "C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1 (Microsoft Corporation)
CLSID\{871C5380-42A0-1069-A2EA-08002B30309D} [OpenHomePage] -- "%programfiles%\internet explorer\iexplore.exe"

========== Security Center Settings ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center]
"FirstRunDisabled" = 1
"AntiVirusDisableNotify" = 0
"FirewallDisableNotify" = 0
"AntiVirusOverride" = 0
"FirewallOverride" = 0
"UpdatesDisableNotify" = 0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\AhnlabAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ComputerAssociatesAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\KasperskyAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\McAfeeFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\PandaFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SophosAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\SymantecFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TinyFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendAntiVirus]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\TrendFirewall]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Monitoring\ZoneLabsFirewall]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\GloballyOpenPorts\List]
"26675:TCP" = 26675:TCP:169.254.2.0/255.255.255.0:Enabled:ActiveSync Service
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"2569:TCP" = 2569:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"80:TCP" = 80:TCP:*:Enabled:Services

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile]
"EnableFirewall" = 1
"DoNotAllowExceptions" = 0
"DisableNotifications" = 0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List]
"139:TCP" = 139:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22004
"445:TCP" = 445:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22005
"137:UDP" = 137:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22001
"138:UDP" = 138:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22002
"1900:UDP" = 1900:UDP:LocalSubNet:Enabled:@xpsp2res.dll,-22007
"2869:TCP" = 2869:TCP:LocalSubNet:Enabled:@xpsp2res.dll,-22008
"65533:TCP" = 65533:TCP:*:Enabled:Services
"52344:TCP" = 52344:TCP:*:Enabled:Services
"2479:TCP" = 2479:TCP:*:Enabled:Services
"2569:TCP" = 2569:TCP:*:Enabled:Services
"3389:TCP" = 3389:TCP:*:Enabled:Remote Desktop
"80:TCP" = 80:TCP:*:Enabled:Services

========== Authorized Applications List ==========

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"C:\Program Files\AVG\AVG8\avgupd.exe" = C:\Program Files\AVG\AVG8\avgupd.exe:*:Enabled:avgupd.exe -- File not found
"C:\Program Files\Bonjour\mDNSResponder.exe" = C:\Program Files\Bonjour\mDNSResponder.exe:*:Enabled:Bonjour -- (Apple Inc.)
"C:\Program Files\iTunes2\iTunes.exe" = C:\Program Files\iTunes2\iTunes.exe:*:Enabled:iTunes -- (Apple Inc.)
"C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Home & Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Business 2007\32bit\ttax.exe" = C:\Program Files\TurboTax\Business 2007\32bit\ttax.exe:LocalSubNet:Enabled:TurboTax -- (Intuit, Inc.)
"C:\Program Files\TurboTax\Business 2007\32bit\updatemgr.exe" = C:\Program Files\TurboTax\Business 2007\32bit\updatemgr.exe:LocalSubNet:Enabled:TurboTax Update Manager -- (Intuit, Inc.)
"C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe" = C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe:LocalSubNet:Disabled:Intuit Update Shared Downloads Server -- (Intuit Inc.)


========== HKEY_LOCAL_MACHINE Uninstall List ==========

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"{06E73C0B-7DE7-4F41-860B-587033B75BD9}" = iPod Updater 2004-11-15
"{0EB5D9B7-8E6C-4A9E-B74F-16B7EE89A67B}" = Microsoft Plus! Photo Story 2 LE
"{11957169-E291-44D6-A9D3-C7F7D8EF65DA}" = Personal Resume Workshop
"{17334AAF-C9E7-483B-9F45-E3FCAF07FFA7}" = Intel® PROSet for Wired Connections
"{180D45DA-5140-48D4-BDEA-8B9CE3A6D9A4}" = TurboTax 2008 WinBizTaxSupport
"{18455581-E099-4BA8-BC6B-F34B2F06600C}" = Google Toolbar for Internet Explorer
"{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}" = Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148
"{225A137C-F371-4246-B6FF-20320297DB75}" = Canon Photo Viewer
"{2318C2B1-4965-11d4-9B18-009027A5CD4F}" = Google Toolbar for Internet Explorer
"{2637C347-9DAD-11D6-9EA2-00055D0CA761}" = Dell Media Experience
"{26A24AE4-039D-4CA4-87B4-2F83216011FF}" = Java™ 6 Update 17
"{29521505-F489-4822-ADFA-32C6DEE4F114}" = TurboTax 2008 WinPerUserEducation
"{318AB667-3230-41B5-A617-CB3BF748D371}" = iTunes
"{32A72502-BC2C-4C39-ACEA-BC3D463F0697}" = EN
"{33BB4982-DC52-4886-A03B-F4C5C80BEE89}" = Windows Media Player 10
"{350C97B0-3D7C-4EE8-BAA9-00BCB3D54227}" = WebFldrs XP
"{35BDEFF1-A610-4956-A00D-15453C116395}" = Internet Explorer Default Page
"{3E1AB596-4F70-4DA9-8BB7-703B8E78EDC6}" = OpenOffice.org 3.0
"{3F92ABBB-6BBF-11D5-B229-002078017FBF}" = Modem On Hold
"{4192EAC0-6B36-4723-B216-D0E86E7757AC}" = Jasc Paint Shop Photo Album 5
"{454D0521-C5A5-439E-A039-2D1EE8035F9F}" = PictureGear 4.5Lite
"{482064EE-6188-40C1-9A16-F9A784E3B595}" = SignGo Lite FD
"{4AEBD86C-C82E-401A-9AA0-8B8AF7A5A3CA}" = TurboTax 2008 WinBizFedFormset
"{4B9F45E8-E3CE-40B4-9463-80A9B3481DEF}" = Banctec Service Agreement
"{4C93C363-414E-11D4-9756-00C04F8EEB39}" = Macromedia Flash 5
"{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}" = FontNav
"{56D4C8A0-6126-11DD-AD8B-0800200C9A66}" = TurboTax 2008 WinBizUserEducation
"{582610B8-E496-4813-993C-4B027173FE38}" = PixiePack Codec Pack
"{5905F42D-3F5F-4916-ADA6-94A3646AEE76}" = Dell Driver Reset Tool
"{5B30AA25-BF39-4BE4-8FEE-51938BAB214D}" = TurboTax 2008 wcaiper
"{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}" = PowerDVD 5.3
"{6956856F-B6B3-4BE0-BA0B-8F495BE32033}" = Apple Software Update
"{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"{6D52C408-B09A-4520-9B18-475B81D393F1}" = Microsoft Works
"{6E45BA47-383C-4C1E-8ED0-0D4845C293D7}" = Microsoft Plus! Digital Media Edition Installer
"{71D6CE84-B7DC-4166-8E0D-56C1C37BFB5A}" = SonicStage 2.3.00
"{7299052b-02a4-4627-81f2-1818da5d550d}" = Microsoft Visual C++ 2005 Redistributable
"{74F7662C-B1DB-489E-A8AC-07A06B24978B}" = Dell System Restore
"{7570F1CA-016D-46AC-B586-CD74645EFB52}" = TurboTax 2008 WinPerFedFormset
"{78C496B9-5A6B-4692-8C2E-AFFFC34E4961}" = Jasc Paint Shop Pro Studio, Dell Editon
"{78D944D7-A97B-4004-AB0A-B5AD06839940}" = My Way Search Assistant
"{7A0EFAFB-AC4B-4B88-8C6B-6731BE88DB68}" = Modem Event Monitor
"{7C5123A9-30A8-4C44-89CA-A8C87A1FCC91}" = CorelDRAW Graphics Suite X3
"{7DD9A065-2C86-4A9F-A5FF-796EC1B99DCA}" = AnswerWorks 4.0 Runtime - English
"{7F142D56-3326-11D5-B229-002078017FBF}" = Modem Helper
"{88214092-836F-4E22-A5AC-569AC9EE6A0F}" = TurboTax 2008 WinPerReleaseEngine
"{8A25392D-C5D2-4E79-A2BD-C15DDC5B0959}" = Bonjour
"{8A708DD8-A5E6-11D4-A706-000629E95E20}" = Intel® Extreme Graphics 2 Driver
"{8C9DA1BC-CDE6-458F-AE11-7124E881EF23}" = FileMaker Pro 9 Advanced
"{8EF1122E-E90C-4EE9-AB0C-7FDE2BA42C26}" = Musicmatch® Jukebox
"{90840409-6000-11D3-8CFE-0150048383C9}" = Microsoft Office Excel Viewer 2003
"{911A0409-6000-11D3-8CFE-0050048383C9}" = Microsoft Outlook 2002
"{915341C0-8BC6-49E3-A887-B87D7FE6B467}" = SplashID for PocketPC
"{9E5A03E3-6246-4920-9630-0527D5DA9B07}" = AnswerWorks 5.0 English Runtime
"{A1F2EF0E-1EE5-4F0B-8A31-EE875EBD3F01}" = Mavis Beacon Teaches Typing 15
"{A3051CD0-2F64-3813-A88D-B8DCCDE8F8C7}" = Microsoft .NET Framework 3.0 Service Pack 2
"{AC76BA86-7AD7-1033-7B44-A81300000003}" = Adobe Reader 8.1.6
"{AF06CAE4-C134-44B1-B699-14FBDB63BD37}" = Dell Picture Studio v3.0
"{AF19F291-F22F-4798-9662-525305AE9E48}" = WordPerfect Office 12
"{AFF1EA96-9C23-4249-B7D4-CD4B54D4582F}" = TurboTax ItsDeductible 2006
"{B1DB1AD8-C07E-4052-81A1-D2930232BA70}" = TurboTax 2008 wrapper
"{B208806F-A231-4FA0-AB3F-5C1B8979223E}" = Microsoft ActiveSync 4.0
"{B23726CF-68BF-41A6-A4EB-72F12F87FE05}" = TurboTax 2008 WinPerTaxSupport
"{B6C2466E-D773-4EF5-9350-9D3D68F668BE}" = TurboTax 2008 WinBizProgramHelp
"{BB92E35A-F5B8-4D59-90F3-CF863871BCF3}" = OpenMG Secure Module 4.0.05
"{BCE72AED-3332-4863-9567-C5DCB9052CA2}" = Netflix Movie Viewer
"{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"{C09FB3CD-3D0C-3F2D-899A-6A1D67F2073F}" = Microsoft .NET Framework 2.0 Service Pack 2
"{C94E45B0-6AA6-4FB9-9AAE-22085F631880}" = VBA
"{CB2F7EDD-9D1F-43C1-90FC-4F52EAE172A1}" = Microsoft .NET Framework 1.1
"{CCFFC1DA-7A65-4C1B-98DC-3F7861F50254}" = TurboTax 2008 wrapper
"{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}" = SUPERAntiSpyware Free Edition
"{CE2CDD62-0124-36CA-84D3-9F4DCF5C5BD9}" = Microsoft .NET Framework 3.5 SP1
"{DAD36D74-C78A-4753-84DB-13FBB4FEA65C}" = PhotoStudio Expressions
"{DE1AF137-C455-494A-A817-EFE44BCCFDEE}" = Works Upgrade
"{E6D9BC25-0DBC-4368-8E4A-7DEE80661CD9}" = TurboTax 2008 WinPerProgramHelp
"{E93E5EF6-D361-481E-849D-F16EF5C78EBC}" = Musicmatch for Windows Media Player
"{EA2BEBD6-87B9-41E5-95AC-7E4C165A9475}" = WexTech AnswerWorks
"{EC4455AB-F155-4CC1-A4C5-88F3777F9886}" = Apple Mobile Device Support
"{F0A37341-D692-11D4-A984-009027EC0A9C}" = SoundMAX
"{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}" = Update Manager
"{F8D8A515-3D81-431D-BCBB-9EBA3CFE0987}" = TurboTax 2008 WinBizReleaseEngine
"{F958CA02-BB40-4007-894B-258729456EE4}" = QuickTime
"{FF81EC2D-BD14-4865-BA3B-D037220AB017}" = FileMaker Pro 10 Advanced
"Active Disk" = Active Disk
"Adobe Flash Player ActiveX" = Adobe Flash Player ActiveX
"Adobe Flash Player Plugin" = Adobe Flash Player 10 Plugin
"Adobe Illustrator 9.0.1" = Adobe Illustrator 9.0.1
"Adobe Photoshop 7.0" = Adobe Photoshop 7.0
"Adobe Shockwave Player" = Adobe Shockwave Player
"Adobe SVG Viewer" = Adobe SVG Viewer
"Advanced Font Manager3.0.0.0" = Advanced Font Manager
"ArcSoft PhotoStudio 2000" = ArcSoft PhotoStudio 2000
"ATT-AACE" = ATT-AACE
"Audacity_is1" = Audacity 1.2.6
"avast!" = avast! Antivirus
"AviSynth" = AviSynth 2.5
"BookSmart™ 1.9.9 1.9.9" = BookSmart™ 1.9.9 1.9.9
"BroadJump Client Foundation" = BroadJump Client Foundation
"CANONBJ_Deinstall_CNMCP5e.DLL" = Canon i900D
"CCleaner" = CCleaner (remove only)
"Coupon Printer for Windows4.0" = Coupon Printer for Windows
"Dell Digital Jukebox Driver" = Dell Digital Jukebox Driver
"DellSupport" = Dell Support 5.0.0 (630)
"DVD Decrypter" = DVD Decrypter (Remove Only)
"EPSON Printer and Utilities" = EPSON Printer Software
"Google Updater" = Google Updater
"HijackThis" = HijackThis 2.0.2
"IDNMitigationAPIs" = Microsoft Internationalized Domain Names Mitigation APIs
"ie7" = Windows Internet Explorer 7
"InstallShield_{06E73C0B-7DE7-4F41-860B-587033B75BD9}" = iPod Updater 2004-11-15
"InstallShield_{11957169-E291-44D6-A9D3-C7F7D8EF65DA}" = Personal Resume Workshop
"InstallShield_{69640730-B830-4C24-BB5C-222DA1260548}" = Turbo Lister 2
"InstallShield_{BB92E35A-F5B8-4D59-90F3-CF863871BCF3}" = OpenMG Secure Module 4.0.05
"InstallShield_{BD57EA4D-026E-4F08-9B93-080E282B81FE}" = iPod for Windows 2006-06-28
"Intel® 537EP V9x DF PCI Modem" = Intel® 537EP V9x DF PCI Modem
"IomegaWare" = IomegaWare 4.0.2
"JDiskReport 1.3.1" = JGoodies JDiskReport 1.3.1
"Kaspersky Online Scanner" = Kaspersky Online Scanner
"Lemonade Inc." = Lemonade Inc.
"Malwarebytes' Anti-Malware_is1" = Malwarebytes' Anti-Malware
"Microsoft .NET Framework 1.1 (1033)" = Microsoft .NET Framework 1.1
"Microsoft .NET Framework 3.5 SP1" = Microsoft .NET Framework 3.5 SP1
"Mozilla Firefox (3.5.5)" = Mozilla Firefox (3.5.5)
"MSCompPackV1" = Microsoft Compression Client Pack 1.0 for Windows XP
"MyWaySearchAssistantDE" = My Way Search Assistant
"NLSDownlevelMapping" = Microsoft National Language Support Downlevel APIs
"OfotoEZUpload" = KODAK EASYSHARE Gallery Upload ActiveX Control
"OpenMG HotFix4.0-04-11-01-01" = OpenMG Limited Patch 4.0-04-11-28-01
"Pacmania Gold" = Pacmania Gold
"Panda ActiveScan" = Panda ActiveScan
"PowerISO" = PowerISO
"PROSet" = Intel® PRO Network Adapters and Drivers
"PSP Video 9" = PSP Video 9 1.74
"QuickTime32" = QuickTime for Windows (32-bit)
"RealPlayer 6.0" = RealPlayer
"SBC.MCCInstall" = AT&T Self Support Tool
"Snails (Trial)" = Snails (Trial)
"ST6UNST #1" = Button Builder Pro Demo v1.0.72
"StreetPlugin" = Learn2 Player (Uninstall Only)
"TurboTax 2008" = TurboTax 2008
"TurboTax Business 2006" = TurboTax Business 2006
"TurboTax Business 2007" = TurboTax Business 2007
"TurboTax Business 2008" = TurboTax Business 2008
"TurboTax Home & Business 2006" = TurboTax Home & Business 2006
"TurboTax Home & Business 2007" = TurboTax Home & Business 2007
"ViewpointMediaPlayer" = Viewpoint Media Player
"VobSub" = VobSub v2.23 (Remove Only)
"Windows Media Format Runtime" = Windows Media Format 11 runtime
"Windows Media Player" = Windows Media Player 11
"Windows XP Service Pack" = Windows XP Service Pack 3
"WinRAR archiver" = WinRAR archiver
"WMFDist11" = Windows Media Format 11 runtime
"wmp11" = Windows Media Player 11
"Works2006Setup" = Microsoft Works Suite 2006 Setup Launcher
"Wudf01000" = Microsoft User-Mode Driver Framework Feature Pack 1.0
"XviD MPEG4 Video Codec" = XviD MPEG4 Video Codec (remove only)
"Yahoo! Applications" = AT&T Yahoo! Applications
"Yahoo! Photos Easy Upload Tool" = Yahoo! Photos Easy Upload Tool

========== HKEY_USERS Uninstall List ==========

[HKEY_USERS\S-1-5-21-1720846278-4117750427-1760893729-1006\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall]
"kernel" = kernel

========== Last 10 Event Log Errors ==========

[ Antivirus Events ]
Error - 2009-11-07 07:58:19 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
http://suggestqueries.google.com/complete/...20eas&cp=11
failed, 0000A413.

Error - 2009-11-24 15:55:11 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\DCIM\100KC613\100_4139.JPG failed, 0000001E.

Error - 2009-11-25 16:55:56 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\DCIM\100KC613\100_4173.JPG failed, 0000001E.

Error - 2009-11-28 04:42:32 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\R4 Theme Creator Alice.exe failed, 0000001E.

Error - 2009-12-04 07:35:19 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\100_3812.JPG failed, 0000001E.

Error - 2009-12-11 03:23:08 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\P9250677.JPG failed, 0000001E.

Error - 2009-12-12 21:48:15 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\DCIM\100KC613\100_3531.JPG failed, 0000001E.

Error - 2009-12-13 23:30:52 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\Kodak Pictures 082.jpg failed, 0000001E.

Error - 2009-12-13 23:42:49 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\100_3812.JPG failed, 0000001E.

Error - 2009-12-13 23:45:01 | Computer Name = DH7D6961 | Source = avast! | ID = 33554522
Description = AAVM - scanning error: x_AavmCheckFileDirectEx: avfilesScanReal of
E:\Intuit.TurboTax.Business.2008\TurboTax 2008\MSI\WinBizFedFormset.msi failed,
0000001E.

[ Application Events ]
Error - 2009-09-14 18:10:36 | Computer Name = DH7D6961 | Source = Application Error | ID = 1000
Description = Faulting application dvdripper.exe, version 1.6.0.1, faulting module
ntdll.dll, version 5.1.2600.5755, fault address 0x0001a5db.

Error - 2009-09-29 15:44:00 | Computer Name = DH7D6961 | Source = Application Hang | ID = 1002
Description = Hanging application firefox.exe, version 1.9.0.3498, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2009-09-30 20:55:56 | Computer Name = DH7D6961 | Source = Application Hang | ID = 1002
Description = Hanging application soffice.bin, version 3.0.9358.500, hang module
hungapp, version 0.0.0.0, hang address 0x00000000.

Error - 2009-09-30 20:56:07 | Computer Name = DH7D6961 | Source = Application Hang | ID = 1001
Description = Fault bucket 963922714.

Error - 2009-11-14 07:12:54 | Computer Name = DH7D6961 | Source = MsiInstaller | ID = 11719
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 -- Error 1719.The
Windows Installer Service could not be accessed. This can occur if you are running
Windows in safe mode, or if the Windows Installer is not correctly installed. Contact
your support personnel for assistance.

Error - 2009-11-14 07:12:55 | Computer Name = DH7D6961 | Source = MsiInstaller | ID = 1023
Description = Product: Microsoft .NET Framework 2.0 Service Pack 2 - Update 'KB974417'
could not be installed. Error code 1603. Additional information is available in
the log file C:\WINDOWS\system32\config\SYSTEM~1\LOCALS~1\Temp\Microsoft .NET Framework
2.0-KB974417_20091114_111238828-Msi0.txt.

Error - 2009-11-14 07:12:57 | Computer Name = DH7D6961 | Source = HotFixInstaller | ID = 5000
Description = EventType visualstudio8setup, P1 microsoft .net framework 2.0-kb974417,
P2 1033, P3 1603, P4 msi, P5 f, P6 9.0.40302.0, P7 install, P8 x86, P9 xp, P10
1719.

Error - 2009-12-07 18:48:31 | Computer Name = DH7D6961 | Source = Application Hang | ID = 1002
Description = Hanging application iTunes.exe, version 8.0.2.20, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2009-12-11 19:43:04 | Computer Name = DH7D6961 | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 8.1.0.137, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

Error - 2009-12-11 19:43:05 | Computer Name = DH7D6961 | Source = Application Hang | ID = 1002
Description = Hanging application AcroRd32.exe, version 8.1.0.137, hang module hungapp,
version 0.0.0.0, hang address 0x00000000.

[ System Events ]
Error - 2009-12-14 22:57:07 | Computer Name = DH7D6961 | Source = Service Control Manager | ID = 7001
Description = The Apple Mobile Device service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 2009-12-14 22:57:07 | Computer Name = DH7D6961 | Source = Service Control Manager | ID = 7001
Description = The Bonjour Service service depends on the TCP/IP Protocol Driver
service which failed to start because of the following error: %%31

Error - 2009-12-14 22:57:07 | Computer Name = DH7D6961 | Source = Service Control Manager | ID = 7001
Description = The IPSEC Services service depends on the IPSEC driver service which
failed to start because of the following error: %%31

Error - 2009-12-14 22:57:07 | Computer Name = DH7D6961 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 AFD aswSP aswTdi Fips intelppm IPSec MRxSmb NetBIOS NetBT RasAcd Rdbss SASDIFSV SASKUTIL
SCDEmu
Tcpip

Error - 2009-12-14 22:57:12 | Computer Name = DH7D6961 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service netman with
arguments "" in order to run the server: {BA126AE5-2166-11D1-B1D0-00805FC1270E}

Error - 2009-12-14 23:04:29 | Computer Name = DH7D6961 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2009-12-14 23:05:52 | Computer Name = DH7D6961 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2009-12-14 23:07:04 | Computer Name = DH7D6961 | Source = Service Control Manager | ID = 7026
Description = The following boot-start or system-start driver(s) failed to load:
Aavmker4 aswSP Fips intelppm SASDIFSV SASKUTIL SCDEmu

Error - 2009-12-14 23:10:44 | Computer Name = DH7D6961 | Source = DCOM | ID = 10005
Description = DCOM got error "%1084" attempting to start the service EventSystem
with arguments "" in order to run the server: {1BE1F766-5536-11D1-B726-00C04FB926AF}

Error - 2009-12-14 23:27:07 | Computer Name = DH7D6961 | Source = Dhcp | ID = 1000
Description = Your computer has lost the lease to its IP address 76.195.39.11 on
the Network Card with network address 00111172597E.


< End of report >



GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2009-12-15 19:20:50
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOCUME~1\natalie\LOCALS~1\Temp\pxloapog.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEEC966B8]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEEC96574]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEEC96A52]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEEC9614C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEEC9664E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEEC9608C]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEEC960F0]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEEC9676E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEEC9672E]
SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEEC968AE]

---- Kernel code sections - GMER 1.0.15 ----

init C:\WINDOWS\system32\DRIVERS\mohfilt.sys entry point in "init" section [0xF796C760]
init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF7295F80]

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0146299A
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0146294A
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 0146290E
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 014628F2
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0146277E
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01462870
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] WS2_32.dll!recv 71AB676F 5 Bytes JMP 014627B6
.text C:\Program Files\BroadJump\Client Foundation\CFD.exe[120] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 014627EE
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0100299A
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0100294A
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 0100290E
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 010028F2
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0100277E
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01002870
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] WS2_32.dll!recv 71AB676F 5 Bytes JMP 010027B6
.text C:\Program Files\Musicmatch\Musicmatch Jukebox\mmtask.exe[628] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 010027EE
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00FF299A
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00FF294A
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00FF290E
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00FF28F2
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00FF277E
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00FF2870
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00FF27B6
.text C:\Program Files\Canon\BJPV\TVMon.exe[972] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00FF27EE
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00ED299A
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00ED294A
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00ED290E
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00ED28F2
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00ED277E
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00ED2870
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00ED27B6
.text C:\Program Files\iTunes2\iTunesHelper.exe[984] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00ED27EE
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00C5299A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00C5294A
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00C5290E
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00C528F2
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00C5277E
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00C52870
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00C527B6
.text C:\Program Files\Java\jre6\bin\jusched.exe[1236] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00C527EE
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00D2299A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00D2294A
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00D2290E
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D228F2
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D2277E
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D22870
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D227B6
.text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1352] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D227EE
.text C:\WINDOWS\notepad.exe[1660] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00D7299A
.text C:\WINDOWS\notepad.exe[1660] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00D7294A
.text C:\WINDOWS\notepad.exe[1660] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00D7290E
.text C:\WINDOWS\notepad.exe[1660] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\notepad.exe[1660] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\notepad.exe[1660] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D728F2
.text C:\WINDOWS\notepad.exe[1660] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D7277E
.text C:\WINDOWS\notepad.exe[1660] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D72870
.text C:\WINDOWS\notepad.exe[1660] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D727B6
.text C:\WINDOWS\notepad.exe[1660] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D727EE
.text C:\WINDOWS\Explorer.EXE[1680] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 016A299A
.text C:\WINDOWS\Explorer.EXE[1680] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 016A294A
.text C:\WINDOWS\Explorer.EXE[1680] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 016A290E
.text C:\WINDOWS\Explorer.EXE[1680] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\Explorer.EXE[1680] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\Explorer.EXE[1680] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 016A28F2
.text C:\WINDOWS\Explorer.EXE[1680] WS2_32.dll!send 71AB4C27 5 Bytes JMP 016A277E
.text C:\WINDOWS\Explorer.EXE[1680] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 016A2870
.text C:\WINDOWS\Explorer.EXE[1680] WS2_32.dll!recv 71AB676F 5 Bytes JMP 016A27B6
.text C:\WINDOWS\Explorer.EXE[1680] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 016A27EE
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 0268299A
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 0268294A
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 0268290E
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 026828F2
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] WS2_32.dll!send 71AB4C27 5 Bytes JMP 0268277E
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02682870
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] WS2_32.dll!recv 71AB676F 5 Bytes JMP 026827B6
.text C:\Program Files\Dell\Media Experience\PCMService.exe[1992] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 026827EE
.text C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\ImgIcon.exe[2012] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\ImgIcon.exe[2012] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01A928F2
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] WS2_32.dll!send 71AB4C27 5 Bytes JMP 01A9277E
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 01A92870
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01A927B6
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 01A927EE
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 01A9299A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 01A9294A
.text C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe[2456] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 01A9290E
.text C:\WINDOWS\notepad.exe[2640] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00EF299A
.text C:\WINDOWS\notepad.exe[2640] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00EF294A
.text C:\WINDOWS\notepad.exe[2640] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00EF290E
.text C:\WINDOWS\notepad.exe[2640] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\notepad.exe[2640] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\WINDOWS\notepad.exe[2640] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EF28F2
.text C:\WINDOWS\notepad.exe[2640] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EF277E
.text C:\WINDOWS\notepad.exe[2640] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EF2870
.text C:\WINDOWS\notepad.exe[2640] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EF27B6
.text C:\WINDOWS\notepad.exe[2640] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EF27EE
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 046E28F2
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] WS2_32.dll!send 71AB4C27 5 Bytes JMP 046E277E
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 046E2870
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] WS2_32.dll!recv 71AB676F 5 Bytes JMP 046E27B6
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 046E27EE
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 046E299A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 046E294A
.text C:\Program Files\Alwil Software\Avast4\ashWebSv.exe[2712] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 046E290E
.text C:\WINDOWS\system32\wuauclt.exe[2796] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00EA299A
.text C:\WINDOWS\system32\wuauclt.exe[2796] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00EA294A
.text C:\WINDOWS\system32\wuauclt.exe[2796] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00EA290E
.text C:\WINDOWS\system32\wuauclt.exe[2796] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00EA28F2
.text C:\WINDOWS\system32\wuauclt.exe[2796] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00EA277E
.text C:\WINDOWS\system32\wuauclt.exe[2796] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00EA2870
.text C:\WINDOWS\system32\wuauclt.exe[2796] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00EA27B6
.text C:\WINDOWS\system32\wuauclt.exe[2796] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00EA27EE
.text C:\Program Files\iPod\bin\iPodService.exe[2860] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B2299A
.text C:\Program Files\iPod\bin\iPodService.exe[2860] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B2294A
.text C:\Program Files\iPod\bin\iPodService.exe[2860] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B2290E
.text C:\Program Files\iPod\bin\iPodService.exe[2860] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F2
.text C:\Program Files\iPod\bin\iPodService.exe[2860] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B2277E
.text C:\Program Files\iPod\bin\iPodService.exe[2860] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22870
.text C:\Program Files\iPod\bin\iPodService.exe[2860] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B6
.text C:\Program Files\iPod\bin\iPodService.exe[2860] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227EE
.text C:\Documents and Settings\natalie\Desktop\Bleeping Comp\gmer.exe[2972] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Documents and Settings\natalie\Desktop\Bleeping Comp\gmer.exe[2972] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 02A2299A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 02A2294A
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 02A2290E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 02A228F2
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!send 71AB4C27 5 Bytes JMP 02A2277E
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 02A22870
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!recv 71AB676F 5 Bytes JMP 02A227B6
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 02A227EE
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] SHELL32.dll!SHFileOperationW 7CA70924 5 Bytes JMP 3000141E C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Program Files\Mozilla Firefox\firefox.exe[3092] SHELL32.dll!SHFileOperation 7CA70C0C 5 Bytes JMP 30001430 C:\DELL\HIGH SPEED INTERNET OFFERS\CONSUMER\STYLES\MPS\MORPHEUS\DOWNLOADS\DriveIcons\IMGHOOK.DLL (IMGHOOK/Iomega Corporation)
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 007D28F2
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] WS2_32.dll!send 71AB4C27 5 Bytes JMP 007D277E
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 007D2870
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] WS2_32.dll!recv 71AB676F 5 Bytes JMP 007D27B6
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 007D27EE
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 007D299A
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 007D294A
.text C:\Program Files\Bonjour\mDNSResponder.exe[3212] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 007D290E
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00A8299A
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00A8294A
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00A8290E
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00A828F2
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00A8277E
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00A82870
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00A827B6
.text C:\Program Files\Common Files\Intuit\Update Service\IntuitUpdateService.exe[3356] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00A827EE
.text C:\WINDOWS\System32\alg.exe[3376] ADVAPI32.dll!CryptDestroyKey 77DE9EBC 7 Bytes JMP 00B2299A
.text C:\WINDOWS\System32\alg.exe[3376] ADVAPI32.dll!CryptDecrypt 77DEA129 7 Bytes JMP 00B2294A
.text C:\WINDOWS\System32\alg.exe[3376] ADVAPI32.dll!CryptEncrypt 77DEE360 7 Bytes JMP 00B2290E
.text C:\WINDOWS\System32\alg.exe[3376] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00B228F2
.text C:\WINDOWS\System32\alg.exe[3376] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00B2277E
.text C:\WINDOWS\System32\alg.exe[3376] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00B22870
.text C:\WINDOWS\System32\alg.exe[3376] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00B227B6
.text C:\WINDOWS\System32\alg.exe[3376] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00B227EE

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\WINDOWS\system32\services.exe[800] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002
IAT C:\WINDOWS\system32\services.exe[800] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000

---- Devices - GMER 1.0.15 ----

AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)
AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software)

Device \FileSystem\Fastfat \Fat ED1EDD20
Device \FileSystem\Fastfat \Fat ED205631

AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software)

Device \Driver\iomdisk -> \Device\Harddisk0\DR0 82CB1920

---- Registry - GMER 1.0.15 ----

Reg HKLM\SOFTWARE\Classes\.mgbnd\Intel® PRO/100 VE Network Connection - Packet Scheduler Miniport@2009-12-15 6060|161812|46760
Reg HKLM\SOFTWARE\Classes\.mgcpu@2009-12-15 14

---- Files - GMER 1.0.15 ----

File C:\WINDOWS\ServicePackFiles\ServicePackCache\i386 0 bytes

---- EOF - GMER 1.0.15 ----

Attached Files



#6 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:42 AM

Posted 16 December 2009 - 09:52 AM

If you access Ebay or Paypal using Internet Explorer instead of Firefox, does the same thing happen?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#7 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 16 December 2009 - 04:15 PM

If you access Ebay or Paypal using Internet Explorer instead of Firefox, does the same thing happen?


Hi, yes the same thing happens. I tried Explorer the other night to see if it was just affecting Firefox and the same eBay form appeared.

#8 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 16 December 2009 - 04:55 PM

Hi, I was on my laptop when I replied above. I just checked on the infected computer, and with both Explorer and Firefox I was able to access both PayPal and eBay without getting the message. But my experience has been that it comes and goes, but more often than not it appears - but I did get it the other night through Explorer.

Should I avoid signing into my PayPal & eBay account on the infected desktop computer? Not sure if my password and other info are being sent to the wrong people :( .

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:42 AM

Posted 16 December 2009 - 06:20 PM

So far I'm not finding any signs that you actually are infected.

Please run a scan with Secunia Online Scanner and address any issues that it find.
http://secunia.com/vulnerability_scanning/online/


Please do an online scan with Kaspersky WebScanner.
  • Please visit the Kaspersky Online Scanner website.
  • Click on the Accept button and install any components it needs.
  • The program will install and then begin downloading the latest definition files.
  • After the files have been downloaded on the left side of the page in the Scan section select My Computer
  • This will start the program and scan your system.
  • The scan will take a while, so be patient and let it run.
  • Once the scan is complete, click on View scan report
  • Now, click on the Save Report as button.
  • Save the file to your desktop.
  • Copy and paste that information in your next post.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 17 December 2009 - 07:49 AM

Hello,

Things went smoothly with the Secunia Online Scanner, I updated everything it said needed to be updated. But I had a terrible time with Kaspersky :( . It updated its database fine, everything listed itself as 100% successful, my issue was with the scan itself. I tried about 5 times over several hours using both Firefox and Explorer, I did disable my Avast antivirus, but the scan would consistently stall at about 30%. The Time Duration clock would stop too, I would leave it alone anywhere from 30 minutes to an hour and neither resumed.

Each scan indicated that 1 Threat and 1 Infected object had been detected, everything else as of the 30% mark had a zero detection. The only thing I could think to do was run the scan one last time before going to bed, wait until the Threat notice had appeared, and stop the scan before it had a chance to stall so I could at least get a partial result with what it had found. I wasn't able to view the report the previous times after it had stalled, did a quick test to see if I could view the report prior to stalling which worked fine.

Hope this helps, if you have any troubleshooting tips for Kaspersky please let me know and I'll try again.


--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Thursday, December 17, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Thursday, December 17, 2009 10:38:40
Records in database: 3381761
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 18641
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 00:46:17


File name / Threat / Threats count
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Mozilla\Firefox\Profiles\mdfkcawc.default\Cache\B5C02376d01 Infected: Exploit.Win32.Pidief.cvl 1

Scanning stopped by the user.

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:42 AM

Posted 17 December 2009 - 09:00 AM

Sometimes Kaspersky can be like that unfortunately.

Open up Firefox and click Tools -> Add-ons
Select Extensions.

Please let me know all the extensions that are listed there.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 17 December 2009 - 05:54 PM

Hello,

The following are the only 4 items listed:


Google Toolbar for Firefox 3.1.20081127W

Java Quick Starter 1.0

Microsoft .NET Framework Assistant 1.1

RealPlayer Browser Record Plugin 1.0


Thanks!

#13 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 18 December 2009 - 07:41 AM

Hi,

I was finally able to complete the Kaspersky scan! My first attempt once again stalled at about 30% without ever resuming, but I noticed that all the scans were stopping at the same computer file. It was from an old program I no longer use, so I backed it up and got rid of it, and my 2nd scan attempt took and was able to finish - 4 hours later :( .

Here is the report, thanks :

--------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER 7.0: scan report
Friday, December 18, 2009
Operating system: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner version: 7.0.26.13
Last database update: Friday, December 18, 2009 06:20:56
Records in database: 3384120
--------------------------------------------------------------------------------

Scan settings:
scan using the following database: extended
Scan archives: yes
Scan e-mail databases: yes

Scan area - My Computer:
C:\
D:\

Scan statistics:
Objects scanned: 144033
Threats found: 1
Infected objects found: 1
Suspicious objects found: 0
Scan duration: 05:02:34


File name / Threat / Threats count
C:\Documents and Settings\HelpAssistant\Local Settings\Application Data\Mozilla\Firefox\Profiles\mdfkcawc.default\Cache\B5C02376d01 Infected: Exploit.Win32.Pidief.cvl 1

Selected area has been scanned.

#14 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:06:42 AM

Posted 18 December 2009 - 08:39 AM

Follow the steps here to clear your Firefox cookies and cache. Then open Firefox safe mode and see if the problem still occurs.

http://support.mozilla.com/en-US/kb/Basic+troubleshooting
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#15 geminis076

geminis076
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Location:California
  • Local time:03:42 AM

Posted 18 December 2009 - 03:51 PM

Hello,

The fake eBay and PayPal form still appear while in Firefox safe mode, all cookies and cache were cleared. And before switching to Firefox safe mode I was experiencing website redirects, and two Trojan alerts from Avast popped up while being redirected. And just as an update, haven't tried today but as of this message I am still not able to place my system on stand-by, forever stays on a blue Preparing to Stand-by window which has never occurred before until this issue.

Thanks!




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users